[PLUG-TALK] Municipal water/waste water IT security

Rich Shepard rshepard at appl-ecosys.com
Tue Jun 22 18:12:06 UTC 2021


On Tue, 22 Jun 2021, John Jason Jordan wrote:

> A few years ago there was a flap in the press because some federal rule
> suddenly required all water supply systems and reservoirs to be enclosed.

Yep.

> Think of how easy it would be to dump something toxic into the
> reservoir on Mt Tabor. As I recall, the City of Portland made a huge fuss
> because 1) it would cost millions and, 2) for many of our reservoirs it
> would likely be impossible anyway.

And someone did take a pee in one of the reservoirs. Caused major angst
despite the fact that the urea nitrogen increase, if it could be measured at
all, would be in the parts per trillion at most.

> It was obvious to me that the idiots who made the rule lived in flat
> country where 'reservoir' means a tank up on poles, and it never occurred
> to them that in mountain country we do things differently. Eventually the
> City of Portland prevailed on this issue, but we are still sitting ducks.

When the 1973 OPEC oil embargo hit I lived in eastern Illinois where there
was no public transportation other than hitch-hiking. The politicos in the
Washington-Boston corridor made policies based on inter- and intra-city
transpiration by bus or train. That such an option didn't apply to fly-over
country never occurred to them.

> Our salvation is that water from exposed reservoirs goes through a lot of
> pipe before it gets into our houses, so the evil acts of miscreants would
> be discovered before very many people suffer.

Not true, John. All potable water goes through a water treatment plant
before entering the distribution system to houses and businesses. The issue
is miscreants taking over the computers that control the chemicals and the
entire operation. This is what happened not long ago in Florida. As Krebs
wrote,

"In February, we learned that someone hacked into the water treatment plan
in Oldsmar, Fla. and briefly increased the amount of sodium hydroxide
(a.k.a. lye used to control acidity in the water) to 100 times the normal
level. That incident stemmed from stolen or leaked employee credentials for
TeamViewer, a popular program that lets users remotely control their
computers.

"In January, a hacker tried to poison a water treatment plant that served
parts of the San Francisco Bay Area, reports Kevin Collier for NBCNews. The
hacker in that case also had the username and password for a former
employee’s TeamViewer account."

The issue is SCADA[1] security.

Rich

[1] Supervisory Control And Data Acquisition



More information about the PLUG-talk mailing list